opstree_devops.linux_armour
Ansible Role: osm_linux_armour
This Ansible role focuses on checking the security of Ubuntu systems based on the CIS benchmark.
| S. No. | Services | Checks Covered |
|---|---|---|
| 1. | Special Purpose Services | Make sure Avahi, DHCP, and LDAP Server are not turned on |
| 2. | Service Client | Ensure that rsh, telnet, and LDAP client are not installed |
| 3. | inetd Services | Ensure telnet server, discarded services, and rsh server are not installed |
| 4. | Logging and Auditing | Confirm that auditd is installed and active, check audit log storage size, ensure the system disables when audit logs are full, audit logs are not deleted automatically, record login/logout events, and gather session initiation info |
| 5. | Filesystem Configuration | Turn off unused filesystems, ensure sticky bit is set on all directories writable by everyone, and disable Automounting |
| 6. | System File Permissions | Ensure configuration for passwd, passwd-, group, group-, shadow, shadow-, gshadow, gshadow- |
| 7. | Filesystem Integrity Check | Regularly check the filesystem integrity |
| 8. | Additional Process Hardening | Limit core dumps and disable prelink |
| 9. | Network Configuration for Host | Disable IP forwarding and packet redirect sending, and log suspicious packets |
| 10. | Network Configuration for Host and Router | Ignore bogus ICMP responses, enable Reverse Path Filtering, enable TCP SYN Cookies |
| 11. | TCP Wrapper | Set permissions for /etc/hosts.allow and /etc/hosts.deny appropriately |
| 12. | Uncommon Network Protocols | Turn off DCCP and SCTP |
| 13. | Secure Boot Settings | Set permissions for bootloader config and require authentication for single user mode |
| 14. | Mandatory Access Control | Check settings and ensure SETroubleshoot is not installed if it is enabled |
Version History
| Date | Version | Description | Changed By |
|---|---|---|---|
| Feb 27 | v0.0.1 | Strengthen Ubuntu OS based on important CIS benchmarks | Anjali Singh |
| Aug 08 | v0.0.2 | Added support for CentOS | Anjali Singh |
Salient Features
- This role configures the OS according to essential CIS benchmarks.
Supported OS
- Ubuntu: bionic
- CentOS: 8
Dependencies
- Python must be installed on the testing server.
Role Variables
There are two types of variables: Mandatory and Optional. Mandatory variables must be set according to the CIS benchmark, while Optional variables depend on the services used and can be enabled or disabled based on needs.
Mandatory Variables
| Variables | Default Values | Description |
|---|---|---|
| System_File_Permissions | host.conf, hostname, hosts, hosts.allow, hosts.deny, passwd, passwd-, shadow, shadow-, gshadow, gshadow-, group, group- | Special files whose permissions will change. |
| os_packages_clean | true | Remove outdated packages |
| os_packages_list | xinetd, inetd, ypserv, telnet-server, telnet-client, rsh-server, rsh-client, prelink, openldap-clients, openldap2-client, ldap-utils | Disable these services if not needed |
| audit_package | auditd | Used to track logs |
Optional Variables
| Variables | Optional Values | Description |
|---|---|---|
| os_services_name | avahi-daemon, dhcpd, slapd, named | Special services that can be stopped if not needed |
| audit_max_log_file | 5 | Number of log files to retain |
| os_audit_max_log_file_action | keep_logs | To save logs |
Inventory
An inventory file should look like this:
[osconfig]
192.168.1.198 ansible_user=ubuntu
Example Playbook
- Here’s an example playbook :-
---
- name: OS audit
hosts: osconfig
become: true
roles:
- role: osm_linux_armour
Future Proposed Changes
Updates will be made according to the 2020 CIS benchmarks.
References
Author Information
Installa
ansible-galaxy install opstree_devops.linux_armourLicenza
Unknown
Download
334
Proprietario